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(54) Authentication method by means of a storing device 



(57) A user authentication method performed by a 
computer (FS) by means of a device (6) for storing data 
derived from a smart card (4) though cryptographic op- 
erations, in said smart card (4) being stored a digital cer- 
tificate (CD C | E ), a private key (PrK CIE ) and the public key 



(PbK aE ) corresponding to said private key (PrK^); 
since said storing device (6) is univocally bound to said 
smart card (4), it can be used in an apparatus (10) able 
to communicate with said computer (FS) of a service 
provider, in order to authenticate the user of the storing 
device (6). 
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Description 

[0001] The object of the present invention is an au- 
thentication method by means of a storage device. 
[0002] Electronic devices for storing information, like 
for instance magnetic and optical disks, microproces- 
sors and so on, are in use since a lot of time. 
[0003] Among said devices are also included cards 
for storing information. Said cards are used for different 
purposes: phone cards, credit cards or bank cards in 
general, cards for surveying the presence at the place 
of work and so on. 

[0004] Said cards have been flanked by the so called 
smart cards that, besides storing information, also con- 
tain a unit (chip) able to process information. 
[0005] In the case of the smart cards, new applica- 
tions allowing a more active role of the cards are coming 
forward in order to exploit fully the capability of their 
processing devices. 

[0006] On the card is stored information relative to the 
authorisations provided for the holder who will be able 
to obtain or not certain services at the end of an authen- 
tication procedure managed by service administration 
bodies (server). 

[0007] The user authentication consists in guarantee- 
ing to the service provider that the user is effectively that 
who is declaring to be. The authentication procedure is 
an essential element for providing remote services be- 
cause the service provider does not have the possibility 
to verify personally the identity of whom is asking to ob- 
tain a certain service. 

[0008] The use of the smart cards is diffusing rapidly 
also for services concerning the everyday's life, for in- 
stance the services provided by the public administra- 
tion, and in the next future the use of a card and of a 
communication network will be indispensable for obtain- 
ing a big part of said services. 

[0009] The use of the electronic identity card, that will 
replace in the next future the traditional paper identity 
card, is to be considered in this perspective. The elec- 
tronic identity card will contain personal information both 
visibly printed on the card itself, like for instance the 
name, the surname, the place and the date of birth, and 
stored in digital form. Secret information will be also 
stored on the card as well, that is to say information ac- 
cessible only to the electronic identity card's holder by 
means of a personal secret code or PIN (Personal Iden- 
tification Number). 

[0010] Since the electronic identity card must consent 
to identify its holder in a safe way, telematically as well, 
in order to allow the provision of diversified and always 
newer services as said services are conceived and 
made ready by the administrations, the card will be gen- 
erally provided with a microprocessor allowing said 
functionalities, thereby guaranteeing, at a logical level, 
the identity of the card's holder in the telematic transac- 
tions during which the parties can not "see" each other. 
[0011] Besides, the diffusion of said cards will make 
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necessary to dispose of card readers at low cost and of 
simple use. 

[0012] An electronic identity card reader will be pro- 
vided for instance at the public administration bodies ap- 

5 pointed for delivering the services. 

[0013] Other readers will be installed at a certain 
number of peripheral offices, but, in any case, it is hardly 
imaginable that in the next future each user will be pro- 
vided by the public administration with an electronic 

10 identity card reader that, in any case, must be connected 
at least with a computer and with a modem. Obviously, 
this fact constitutes a limit to the diffusion of the elec- 
tronic identity card. 

[0014] For making the use of the electronic identity 
15 card more advantageous, it would be desirable that the 
user could use the card by means of a tool more diffused 
than a special-purpose reader. 

[0015] Besides, it would be desirable that the user 
could use the card also for purposes different from those 

20 connected with the public administration services, for in- 
stance for obtaining services delivered by service pro- 
viders, like banks and shops of every kind, in order to 
give life to electronic commerce transactions. 
[0016] In other words, the success of the electronic 

25 identity card, for the realisation of which the govern- 
ments of various countries are investing considerable 
economic funds, will benefit from the fact that the user 
of the electronic identity card could use his/her electron- 
ic identity card or an equivalent of it, for instance for car- 

30 rying out a banking operation without going to a bank or 
for buying a good without going to a shop. 
[001 7] Yet it is clear that it is necessary to find a means 
allowing to the citizen holding an electronic identity card, 
that, as far as Italy is concerned, will be distributed to 

35 each citizen by the end of 2004, to carry out operations 
with the service providers safely, easily, economically 
and without going in person to the service provider. 
[0018] The present invention identifies the mobile 
phone, by this time largely diffused among all the layers 

to of the population, as the means able to consent to the 
electronic identity card's holder to use the data therein 
contained for requesting certain services to a service 
provider by means of a normal phone call. 
[0019] It is an object of the present invention to realise 

45 a user authentication method by means of a smart card, 
in particular by means of a smart card of the type used 
in the mobile phones. 

[0020] This and other objects of the invention are ob- 
tained with the method as claimed in the hereby at- 

50 tached claims. 

[0021] Advantageously, for being able to exploit the 
invention, the user holding an electronic identity card on- 
ly needs a mobile phone, by this time largely diffused 
among the population, with its relative smart card. 

55 [0022] For satisfying the criteria necessary to a safe 
information exchange, it is known to turn to cryptogra- 
phy, that is to the science dealing with the protection and 
the mathematical transformation of data into a non- 
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readable format, thereby offering authentication, integ- 
rity, secrecy and nonrepudiation services. 
[0023] The invention uses known cryptographic tech- 
niques, like the asymmetric cryptography with a public 
or a private key and the "hashing" algorithms, that is to 
say algorithms for obtaining a fixed-length string starting 
from a variable-length string. 

[0024] Advantageously, the invention exploits infor- 
mation already present on the electronic identity card, 
in particular the public key, the private key and the digital 
certificate, that can be used for processing data crypto- 
graphically and for making safe the information ex- 
change between the user and the service provider. 
[0025] In addition, the digital certificate contains infor- 
mation about its owner, about the certification authority 
that issued the certificate and, in case, the list of the au- 
thorities disposing of the certificate revocation lists is- 
sued by the certification authority. 
[0026] It is important to point out that the level of au- 
thentication obtainable by means of the method accord- 
ing to the invention is the same as the level guaranteed 
by the electronic identity card. 

[0027] Besides, the present invention advantageous- 
ly provides for the interruption in the service provision if 
anomalies during the card authentication procedure are 
discovered, for instance in case the cards result to be 
stolen, tampered with or expired, or in case someone 
tries to impersonate another individual. 
[0028] Moreover, as far as the phone communication 
is concerned, the fact of being able to rely upon reliable 
and tested technologies like for instance the GSM tech- 
nology is a further advantage for the user. In any case, 
the invention leaves out of consideration the communi- 
cation protocol used with the service provider and there- 
fore can be also used with possible improvements of the 
current communication standards, or with new commu- 
nication standards. 

[0029] The above mentioned and other objects of the 
invention will appear more clear from the detailed de- 
scription of seven embodiments of the method accord- 
ing to the invention with particular reference to the here- 
by attached drawings, wherein: 

Figure 1 shows a device according to the invention 
for transferring data from an electronic identity card 
to a smart card of the type used in a mobile phone; 
Figures 2a,2b and 2c are respectively three sche- 
matic representations of communication systems 
applying the method according to the invention; 
Figures 3 and 4 are a flow chart of a first embodi- 
ment of the authentication method according to the 
invention; 

Figures 5 and 6 are a flow chart of a second em- 
bodiment of the authentication method according to 
the invention; 

Figures 7 and 8 are a flow chart of a third embodi- 
ment of the authentication method according to the 
invention; 



Figures 9 and 1 0 are a flow chart of a fourth embod- 
iment of the authentication method according to the 
invention; 

Figures 1 1 and 1 2 are a flow chart of a fifth embod- 
5 iment of the authentication method according to the 

invention; 

Figures 13 and 14 are a flow chart of a sixth em- 
bodiment of the authentication method according to 
the invention; 

10 - Figures 1 5 and 1 6 are a flow chart of a seventh em- 
bodiment of the authentication method according to 
the invention. 

[0030] With reference to the Figure 1, it is shown a 

15 device 1 provided with two slots 2,3 respectively for in- 
serting an electronic identity card 4 equipped with a mi- 
croprocessor 5 and with a smart card 6 or SIM (Sub- 
scriber Identity Module) of the type used in the mobile 
phones, said SIM being provided with a memory area 

20 8, wherein it is possible to store data, and being 
equipped with a microprocessor 7. 
[0031 ] The data used by the method according to the 
invention are stored on the electronic identity card 4. In 
particular, it is about a digital certificate CD CIE , a public 

25 key PbK CIE and a private key PrK CIE . 

[0032] The digital certificate CD clE , currently ar- 
ranged in format X.509, or public-key PbK CIE digital cer- 
tificate is a declaration issued by a certification authority 
CA which guarantees, thanks to the digital signature, the 

30 association between the public key PbK C)E and the iden- 
tity of the object (user, peripheral or service) owning the 
corresponding private key PrKc^. 
[0033] The public key PbK^ and the private key 
PrK C!E are mathematically correlated so that only the 

35 owner of the private key PrK C)E is able to decode a 
digital information coded with the public key PbKc IE . 
[0034] It is important to point out that the private key 
PrK C)E is invisible from outside but can be used for cryp- 
tographic operations. 

40 [0035] In addition, the device 1 provides for some 
ports, not represented in the figure, for the possible con- 
nection to a computer, to a network, to Internet, or to a 
different electronic device. 

[0036] Moreover, the device 1 will be able to perform, 
45 by means of a data processing unit and of an appropri- 
ate software, data reading operations from the electron- 
ic identity card 4, data reading and writing on the SIM 6, 
and data processing, therein comprising data crypto- 
graphic operations. 

50 

Example 1 

[0037] It is now described a first example of the meth- 
od for authenticating the user of an electronic identity 
55 card 4 by means of a SIM 6 of the type suitable to be 
used in a mobile phone. 

[0038] During the preparation stage of said SIM 6, the 
electronic identity card 4 and the SIM 6 are respectively 
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inserted into the respective slots 2,3 of the device 1. 
[0039] With reference to the Figure 3, at step 101 the 
device 1 requests and obtains from the SIM 6 a unique 
string ID SIM , which is generally the serial number of the 
SIM, univocally assigned by the SIM manufacturer itself. 5 
Agreements reached between the different SIM manu- 
facturers prevent that two SIMs having the same ID S)M 
may exist. In this same step the device 1 requests and 
obtains the digital certificate CD CIE from the electronic 
identity card 4. 10 
[0040] At step 1 03 the device 1 concatenates the dig- 
ital certificate CD C!E with the unique string ID SIM , there- 
by obtaining a string CD CIES | M = CD C!E # ID SIM . 
[0041] At step 105 the device 1 or the electronic iden- 
tity card 4 performs a cryptographic operation by means *5 
of a "hashing" algorithm on the string CD CIES | M obtained 
at step 103, thereby obtaining a string HCD clESIM = H 
( cd ciesim)- 

[0042] At step 1 07 the electronic identity card 4 uses 
the private key PrK C)E for performing an asymmetric 20 
cryptographic operation on the string HCD C | ES[M ob- 
tained at the step 105, thereby obtaining a string 

HCD CIESIM = HCD CIESIM ® PrK CIE« 

[0043] At step 1 09 the string HCD* C , ESIM and the dig- 
ital certificate CD CIE containing the public key P b K CIE of 25 
the electronic identity card 4 are stored in the SIM 6. In 
this way the electronic identity card 4 is univocally bound 
to the SIM 6 of the mobile phone 10. 
[0044] Then the SIM card 6 can be taken out from the 
device 1 and be inserted into a mobile phone 1 0 for be- 30 
ing used in the authentication procedure with a service 
provider, for instance a bank, the public administration 
or a shop. 

[0045] With reference to the Figures 2a and 4, it will 
be now described the authentication procedure accord- 35 
ing to this first embodiment of the invention. 
[0046] By making a phone call to a service provider, 
the mobile phone 10 containing the SIM 6 is put into 
communication with a computer FS of a service provid- 
er. 40 
[0047] During the stage of use of said SIM 6, at step 
151 the computer FS of the service provider requests 
and obtains from the SIM 6, by means of the mobile 
phone 10, the string HCD' CIES | M , the digital certificate 
CD CIE , and the unique string ID S | M of the SIM 6. 45 
[0048] At step 1 53 the computer FS of the service pro- 
vider concatenates the digital certificate CD CIE with the 
string ID SIM , thereby obtaining the string CD* CIESIM = 
CD CIE #ID SIM . 

[0049] At step 1 55 the computer FS performs a cryp- 50 
tographic operation by means of a "hashing" algorithm 
on the string CD* C[ESIM obtained at step 153, thereby 
obtaining a string HCD* CIESIM « H(CD* CIESIM ). 
[0050] At step 1 57 the computer FSof the service pro- 
vider performs a cryptographic operation of the string 55 
HCD' C | ES | M with the public key PbKc^, present on the 
digital certificate CD CIE , thereby obtaining the string 

HCD CIESIM = HCD 'CIESIM ® PbK ClE- 
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[0051] At step 159 the computer FS compares the 
string HCD CiESIM with the string HCD* C | ES1M 
(HCD C | ES(M = HCD* C | ES1M ?). 

[0052] In case the string HCD C | ES | M does not match 
with the string HCD* CIES | M , the computer FS of the serv- 
ice provider will stop the user authentication procedure 
(step 160). 

[0053] At step 161, the computer FS interrogates a 
remote computer CRL disposing of the list of certificates 
revoked by the certification authority CA, said authority 
being identified through the digital certificate CD CIE of 
the electronic identity card 4. Since the computer CRL 
guarantees the validity of the certificate, it verifies if the 
latter is valid (in case, the computer CRL may also co- 
incide with the computer of the certification authority 
CA). 

[0054] Only in case of positive outcome (step 163), 
the user authentication has turned out well and the serv- 
ice provider will begin offering services to the user, since 
the service provider has unequivocally identified the 
owner of the SIM 6 contained in the mobile phone 10. 
Otherwise (step 162) the service provider will stop the 
user authentication procedure. 

Example 2 

[0055] It will be now described a second embodiment 
of the invention wherein the unique string ID SIM of the 
SIM 6 is not used. 

[0056] During the preparation stage of said SIM 6, the 
electronic identity card 4 and the SIM 6 are respectively 
inserted into the respective slots 2,3 of the device 1 . 
[0057] With reference to the Figure 5, at step 201 the 
device 1 or, as an alternative, the electronic identity card 
4 itself, generate a public key PbK SIM and a correspond- 
ing private key PrK S)M . 

[0058] At step 203 the device 1 , or the electronic iden- 
tity card 4, performs a cryptographic operation by means 
of a "hashing" algorithm of the digital certificate CD CIE 
read by the electronic identity card 4, thereby obtaining 
the string HCD CIE = H(CD CIE ). 

[0059] At step 205 the device 1, or the electronic 
identity card 4, performs an asymmetric cryptographic 
operation of the string HCD C j E with the private key 
PrK siM. thereby obtaining the string HCD' CIE = HCD CIE 
®PrK SIM . 

[0060] At step 207 the electronic identity card 4 per- 
forms an asymmetric cryptographic operation of the 
string HCD' CIE with the private key PrK C | E of the elec- 
tronic identity card 4, thereby obtaining the string 
HCD" CIE = HCD' CIE ® PrK CIE . 

[0061] Finally, the private key PrK S)M , the public key 
PbK SIM , the digital certificate CD CIE of the electronic 
identity card 4 and the string HCD" C , E are stored in the 
SIM 6 (step 209). In this way, the electronic identity card 
4 is univocally bound to the SIM 6 of a mobile phone 1 0. 
[0062] Naturally, the private key PrK S)M will be stored 
in the SIM 6, according to known techniques, thereby 
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guaranteeing the inaccessibility from outside, apart from 
the microprocessor of the mobile phone 10. 
[0063] Then the SIM card 6 can be taken out from the 
device 1 and be inserted into a mobile phone 10 for be- 
ing used in the authentication procedure with a service 
provider, for instance a bank, the public administration 
or a shop. 

[0064] With reference to the Figures 2b e 6, it will be 
now described the authentication procedure, according 
to said second embodiment of the invention. 
[0065] By making a phone call to a service provider, 
the mobile phone 1 0 equipped with a microprocessor or 
chip 12 and containing the SIM 6 is put into communi- 
cation with a computer FS of a service provider. 
[0066] During the stage of use of said SIM 6, at step 
251 the computer FS of the service provider requests 
and obtains from the SIM 6 of the mobile phone 10 the 
public key PbK s , M , the string HCD" CIE and the digital 
certificate CD CIE . 

[0067] At step 253 the computer FS generates a ran- 
dom number CH, creates from said number CH, by 
means of an asymmetric cryptographic operation with 
the public key PbK SIM , a string CH' = CH <8> PbK SIM , and 
sends said string CH' to the SIM 6 of the mobile phone 
10. 

[0068] At step 255 either the SIM 6 or the mobile 
phone 10 deciphers the string CH' with the private key 
PrK SIM , thereby obtaining the number CH* = CH' ® 
PrK siM- 

[0069] At step 257 the SIM 6, or the mobile phone 10, 
by means of an "hashing' 1 algorithm on the random 
number CH*, generates a string S. Said string S is con- 
catenated with itself more times until its length L s is 
equal to the length L HcrrciE of the string HCD M C , E (S = 
#H(CH*) until L s = L HCD .. CIE ). 

[0070] At step 259, either the SIM 6 or the mobile 
phone 10 generate a string HCD" ctE XOR obtained by 
performing the logic operation XOR between the string 
HCD M CIE and the string S. The string HCD M CIEXOR = 
HCD" C | E © S is successively sent to the computer FS. 
[0071] At step 261 , the computer FS, by means of a 
"hashing 1 ' algorithm on the random number CH, 
generates a string T. Said string T is concatenated with 
itself more times until its length L T is equal to the length 
Uhcd-cie_xor of the strin 9 HCD" CIE _ XOR (T = #H(CH) 
until L T = L HCD .. CIE _ XOR ). 

[0072] At step 263, the computer FS obtains the string 
HCD" CIE = HCD" C | E _ XOR ® T by performing the logic op- 
eration XOR between the string HCD" C | EXOR and the 
string T 

[0073] At step 265, the computer FS deciphers the 
string HCD" C | E with the public key PbKQ| E , present on 
the digital certificate CD C , E , thereby obtaining the string 
HCD' CIE = HCD" CIE 0 PbK CIE . 

[0074] At step 267, the computer FS deciphers the 
string HCD' C1E with the public key PbK SIM , thereby ob- 
taining the string HCD* CIE = HCD' CIE ® PbK SjM . 
[0075] At step 269, the computer FS by means of a 



"hashing" algorithm on the digital certificate CD C!E , ob- 
tains the string HCD CIE = H(CD C | E ). 
[0076] At step 271, the computer FS compares the 
string HCD* CIE with the string HCD C , E (HCD* C)E = 

5 HCD C!E ?). In case the string HCD* CjE does not match 
with the string HCD CIE , the service provider will stop the 
user authentication procedure (step 272). 
[0077] At step 273, the computer FS interrogates a 
remote computer CRL disposing of the list of certificates 

10 revoked by the certification authority CA, said authority 
being identified through the digital certificate CD CIE of 
the electronic identity card 4 (in case, the computer CRL 
can also coincide with the computer of the certification 
authority CA). Since the computer CRL guarantees the 

15 validity of the certificate, it verifies if the latter is valid. 
[0078] Only in case of positive outcome (step 275), 
the user authentication has turned out well and the serv- 
ice provider will begin offering services to the user, since 
the service provider has unequivocally identified the 

20 owner of the SIM 6 contained in the mobile phone 10. 
Otherwise (step 274) the service provider will stop the 
user authentication procedure. 
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[0079] A further embodiment of the method according 
to the invention provides for the use of a chip 1 2 present 
in a mobile phone 10 for performing the biggest part of 
the cryptographic operations required by the method ac- 

30 cording to the invention. 

[0080] With reference to the Figure 7, during the stage 
of preparation of said SIM 6, at step 301 the chip 12 
provided in the mobile phone 10 generates a pair of pri- 
vate and public keys PrK SIM e PbK SIM that is stored in 

35 a memory area 1 4 of said chip 1 2. 

[0081] At the successive step 303 the public key Pb- 
k sim is written on the SIM 6 that is inserted into the mo- 
bile phone 10. 

[0082] The SIM card 6 is then taken out from the mo- 
^0 bile phone 1 0 and inserted into the device 1 wherein also 
the electronic identity card 4 will be inserted. 
[0083] At step 305 the device 1 requests and obtains 
from the SIM 6 a unique string ID S | M , that generally is 
the serial number of the SIM 6. In this same step the 
45 device 1 requests and obtains the digital certificate 
CD CIE from the electronic identity card 4. 
[0084] At step 307 the device 1 concatenates the dig- 
ital certificate CD CIE with the string ID SIM , thereby ob- 
taining a string CD C , ESIM = CD CIE # ID SIM . 
50 [0085] At step 309 the device 1, or the electronic 
identity card 4, obtains the string HCD CIESIM = H 
( cd ciesim) bv means of a "hashing" algorithm on the 
string CD clESIM . 

[0086] At step 311 the electronic identity card 4 uses 
55 the private key PrK C)E for performing a cryptographic 
operation on the string HCD C | ESJM , thereby obtaining a 
string HCD' CIESlM = HCD CIESIM ® PrK CIE . 
[0087] At step 313 the device 1 uses the public key 
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PbK slM generated at step 301 for performing an 
asymmetric cryptographic operation on the string 
HCD' C | ESIM , thereby obtaining the string H P CD" CIESIM = 
HCD' CjESIM ® PbK SIM . 

[0088] At step 315 the device 1 writes on the SIM 6 
the string H P CD M CIES!M and the digital certificate CD CIE 
that is located on the electronic identity card 4. 
[0089] Successively, the SIM 6 can be inserted again 
into the mobile phone 10, 

[0090] At step 31 7 the chip 12 performs an asymmet- 
ric cryptographic operation on the string H P CD" C | ESIM 
with the private key PrK SIM , thereby obtaining the string 

HCD CIESIM = HPCD "CIESIM ® P r K SIM* 

[0091] Successively, at step 31 9, the chip 1 2 performs 
an asymmetric cryptographic operation on the string 
HCD ciesim with the private key PrK SIM , thereby obtain- 
ing the string HCD M CIESIM = HCD' CIESIM ® P r K SIM . 
[0092] At step 321 the chip 1 2 writes in its memory 14 
the string HCD M CIESlM and the digital certificate CD C | E 
associating them to the public key PbK S | M generated at 
step 301. 

[0093] At step 323 the chip 12 provides for deleting 
from the SIM 6 the string H P CD" C | ESIM and the digital 
certificate CD CIE . 

[0094] The SIM card 6 and the mobile phone 10 can 
be used in the authentication procedure with a service 
provider, for instance a bank, the public administration 
or a shop. 

[0095] With reference to the Figures 2a e 8, it will now 
be described the authentication procedure according to 
this third embodiment of the invention. 
[0096] By making a phone call to a service provider, 
the mobile phone 10 containing the SIM 6 is put into 
communication with a computer FS of a service provid- 
er. 

[0097] During the stage of use of said SIM 6, at step 
351 the chip 1 2 of the mobile phone 1 0 reads the string 
ID SIM from the SIM 6. 

[0098] At step 353 the computer FS of the service pro- 
vider requests and obtains the string HCD" CIES1M , the 
digital certificate CD CIE the public key PbK SIM and the 
string ID SIM from the chip 12 of the mobile phone 10. 
[0099] At stage 355 the computer FS of the service 
provider concatenates the digital certificate CD C | E with 
the string ID S | M , thereby obtaining the string CD' CIESIM 
= CD CIE # ID SIM . 

[01 00] At step 357 the computer FS performs a cryp- 
tographic operation by means of an "hashing" algorithm 
on the string CD* CIES | M , thereby obtaining the string 
HCD* C | EStM = H(CD* C | ESIM ). 

[0101] At step 359 the computer FS of the service 
provider performs an asymmetric cryptographic 
operation of the string HCD" CIES | M with the public 
PbK slM , thereby obtaining the string HCD' C | ES | M = 
HCD" C | ES | M <S> PbK SIM . 

[0102] At step 361 the computer FS of the service pro- 
vider performs an asymmetric cryptographic operation 
of the string HCD' CIES | M with the public key PbK CIE , 



present on the certificate CD C(E , thereby obtaining the 
string HCD CIES!M = HCD' CIESIM ® PbK CIE . 
[0103] At step 363 the computer FS compares the 
string HCD CIESIM with the string HCD* CIESIM 

5 ( HCD CIESIM = HCD *CIESIM ? )' 

[0104] In case the string HCD CIESIM does not match 
with the string HCD* CIESIM , the computer FS of the serv- 
ice provider will stop the user authentication procedure 
(step 364). 

w [0105] At step 365, the computer FS interrogates a 
remote computer CRL disposing of the list of certificates 
revoked by the certification authority CA, said authority 
being identified through the digital certificate CD CIE of 
the electronic identity card 4 (in case, the computer CRL 

*5 can also coincide with the computer of the certification 
authority CA). Since the computer CRL guarantees the 
validity of the certificate, it verifies if the latter is valid. 
[0106] Only in case of positive outcome (step 367), 
the user authentication has turned out well and the serv- 

20 ice provider will begin offering services to the user, since 
the service provider has unequivocally identified the 
owner of the SIM 6 contained in the mobile phone 10. 
Otherwise (step 366) the service provider will stop the 
user authentication procedure. 

25 

Example 4 

[0107] A fourth embodiment according to the inven- 
tion provides for a second computer that can be consult- 
so ed for instance through Internet and is managed by a 
third party different from the user and from the service 
provider. 

[01 08] With reference to the Figure 2c, a computer TP 
of a third party is equipped with a memory 11 and, on 
35 the one side, can be connected to the device 1 and, on 
the other side, can communicate with a computer FS of 
a service provider. 

[0109] During the preparation stage of said SIM 6, the 
electronic identity card 4 and the SIM 6 are respectively 

40 inserted into the respective slots 2,3 of the device 1 . 
[01 1 0] With reference to Figure 9, at step 401 the de- 
vice 1 requests and obtains from the SIM 6 a unique 
string ID S | M , that is generally the serial number of the 
SIM 6. In this same step, the device 1 requests and ob- 

45 tains from the electronic identity card 4 the digital certif- 
icate CD C)E 

[0111] At step 403 the device 1 concatenates the dig- 
ital certificate CD C!E with the string ID S)M , thereby ob- 
taining a string CD C | ESIM = CD CIE # ID SIM . 

50 [0112] At step 405 the device 1, or the electronic iden- 
tity card 4, performs a cryptographic operation by means 
of a "hashing" algorithm on the string CD C | ES!M , thereby 
obtaining the string HCD CIESIM = H(CD CIESIM ). 
[0113] At step 407 the electronic identity card 4 uses 

55 the private key PrK^ for performing an asymmetric 
cryptographic operation on the string HCD aESIM , 
thereby obtaining the string HCD' CIES | M = HCD CIESIM ® 
P'K CIE . 
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[0114] The device 1 transfers the string HCD' C , ESIM 
and the digital certificate CD C | E to the computer TP (step 
409). 

[0115] At step 411 the computer TP or the electronic 
identity card 4 or the device 1 generates a public key 
PbK S | M and a corresponding private key PrK S)M that are 
in any case stored in the memory 1 1 of the computer TP. 
[0116] At step 413 the computer TP uses the private 
key PrK S | M for performing an asymmetric cryptographic 
operation of the string HCD' CES | M , thereby obtaining the 
string HCD" ctESIM = HCD' CIESIM 0 PrK SIM . 
[0117] At step 41 5 the computer TP stores the digital 
certificate CD C | E and the string HCD" C | ESIM , besides as- 
sociating biunivocally the user phone number NTEL with 
said data and with the public key PbK S | M and the private 

^ Pr K S i M - 

[0118] At step 417 the computer TP sends its IP ad- 
dress and the public key PbK s , M to the device 1 that 
stores them on the SIM 6. In this way, the electronic 
identity card 4 is bound univocally to the SIM 6 of a mo- 
bile phone 10 through the computer TP. 
[01 1 9] Then the SIM card 6 can be taken out from the 
device 1 and be inserted into the mobile phone 10 in 
order to be used in the authentication procedure with a 
service provider, for instance a bank, the public admin- 
istration or a shop. 

[0120] With the reference to the Figures 2a and 10 it 
will be now described the authentication procedure ac- 
cording to this fourth embodiment of the invention. 
[0121] By making a phone call to a service provider, 
a mobile phone 1 0 containing the SIM 6 is put into com- 
munication with a computer FS of a service provider. 
[0122] During the stage of use of said SIM 6, at step 
451 the computer FS of the service provider requests 
and obtains from the SIM 6 of the mobile phone 10 the 
IP address of the computer TP, the public key PbK SIM , 
the user phone number NTEL and the unique string 

[0123] At step 453 the computer FS communicates 
via Internet with the computer TP, thanks to the IP ad- 
dress, and sends to it the user phone number NTEL. 
[0124] At step 455 the computer TP, thanks to the 
phone number, sends to the computer FS the digital cer- 
tificate CD CIE and the string HCD M CIESIM corresponding 
to the user phone number NTEL. 
[0125] At step 457 the computer FS of the service 
provider concatenates the string CD C)E with the string 
id sim> thereby obtaining the string CD* CIESIM = CD CIE # 

[0126] At step 459 the computer FS performs a cryp- 
tographic operation by means of an "hashing" algorithm 
on the string CD* C , ESIM , thereby obtaining the string 
hcd *ciesim = h ( cd *ciesim)- 

[01 27] At step 461 the computer FS of the service pro- 
vider deciphers the string HCD" C j ES | M with the public 
key PbK s , M , thereby obtaining the string HCD' C | ESIM = 
HCD" CIESIM ® PbK slM . 

[01 28] At step 463 the computer FS of the service pro- 



vider deciphers the string HCD' ctESIM with the public key 
PbK C | E , present on the digital certificate CD C | E , thereby 
obtaining the string HCD C , ES , M = HCD' C , ESIM ® PbK CIE . 
[0129] At step 465 the computer FS compares the 
5 string HCD CIESIM with the string HCD* CIESIM 
(HCD C , ESIM = HCD* CIESIM ?). 

[0130] In case the string HCD C)ES | M does not match 
with the string HCD* CIESlM , the computer FS of the serv- 
ice provider will stop the user authentication procedure 

10 (step 466). 

[0131] At step 467, the computer FS interrogates a 
remote computer CRL disposing of the list of certificates 
revoked by the certification authority CA, said authority 
being identified through the digital certificate CD CIE of 

15 the electronic identity card 4 (in case, the computer CRL 
can also coincide with the computer of the certification 
authority CA). Since the computer CRL guarantees the 
validity of the certificate, it verifies if the latter is valid. 
[0132] Only in case of positive outcome (step 469), 

20 the user authentication has turned out well and the serv- 
ice provider will begin offering services to the user, since 
the service provider has unequivocally identified the 
owner of the SIM 6 contained in the mobile phone 10. 
Otherwise (step 468) the service provider will stop the 

25 user authentication procedure. 

Example 5 

[0133] A fifth embodiment of the method according to 
30 the invention concerns the possibility for the user to go 
directly to a service provider with a mobile phone and 
an electronic identity card. 

[01 34] During the preparation stage of said SIM 6, the 
electronic identity card 4 and the SIM 6 are respectively 

35 inserted into the respective slots 2,3 of the device 1 . 
[0135] With reference to the Figure 11, at step 501 the 
device 1 , or the electronic identity card 4, performs a 
cryptographic operation by means of a "hashing" algo- 
rithm on the digital certificate CD C | E read by the elec- 

40 tronic identity card 4, thereby obtaining a string HCD CIE 
= H(CD CIE ). 

[0136] At step 503 the electronic identity card 4 per- 
forms an asymmetric cryptographic operation on the 
string HCD C)E with the private key PrK CIE present on the 
45 electronic identity card 4, thereby obtaining the string 
HCD' CIE = HCD CIE ®PrK CIE . 

[0137] At step 505 the device 1 transfers the string 
HCD' C | E , the digital certificate CD C | E and the unique 
string ID SJM , that is generally the serial number of the 
50 SIM 6, to the computer FS of the service provider that 
is equipped with a memory (13). 

[0138] At step 507 the computer FS generates, by 
means of a "hashing" algorithm on the string ID S | M , a 
string HID SIM = H(ID S)M ) that is concatenated with itself 
55 (step 509) until the length L s of the string S so generated 
is not equal to the length L HCD . CIE of the string HCD * QXE 
(S = #(HID SIM ) until L S =L HCD . CIE ). 
[01 39] At step 511a logic operation XOR between the 



8 




EP 1 282 



string HCD' CIE and the string S is performed, thereby 
obtaining a string HCD' C | EXO r = HCD' C | E © S. 
[0140] At step 513 the user phone number NTEL, the 
string HCD' CIEXOR and the digital certificate CD CIE are 
stored on the computer FS. 5 
[0141] Then the SIM card 6 can be taken out from the 
device 1 and be inserted into a mobile phone 10 for be- 
ing used in the authentication procedure with the service 
provider where the operations described at the steps 
501 -513 have been performed. 10 
[01 42] With reference to the Figures 2a and 1 2, it will 
be now described the authentication procedure accord- 
ing to said fifth embodiment of the invention. 
[0143] By making a phone call to a service provider, 
the mobile phone 10 containing the SIM 6 is put into is 
communication with a computer FS of a service provid- 
er. 

[01 44] During the use stage of said second smart card 
6, at step 551 the computer FS requests and obtains 
from the SIM 6 the phone number NTEL and the unique 20 
string ID SIM . 

[0145] At step 553 the computer FS performs a cryp- 
tographic operation by means of a "hashing" algorithm 
of the string ID SIM , thereby obtaining the string HID SIM 
= H(ID SIM ). ~'" ^ 25 

[01 46] At step 555 the computer FS generates a string 
T that is concatenated with itself more times until it has 
a length L T equal to the length L HCD . C!E XOR of the string 
HCD' C | E XOR associated to the corresponding phone 
number NTEL (T = #(HID S!M ) until L T = L HCD . c , E _ XOR ). so 
[0147] At step 557 a logic operation XOR is performed 
between the string HCD' CIE _ XOR and the string T ob- 
tained at step 555, thereby obtaining the string HCD* C | E 
= HCD' c , e _ XO r © T. 

[0148] At step 559 an asymmetric cryptographic op- 35 
eration of the string HCD' C , E with the public key PbK CIE 
is performed, thereby obtaining the string HCD C(E = 
HCD' clE ® PbK CIE . 

[0149] At step 561 the computer FS obtains by means 

of a "hashing" algorithm on the digital certificate CD C(E 40 

the string HCD* C)E = H(CD CIE ). 

[0150] At step 563 the computer FS compares the 
string HCD C , E with the string HCD* CIE (HCD C]E = 
HCD* CIE ?). 

[0151] In case the string HCD C)E does not match with 45 
the string HCD* C | E , the computer FS of the service pro- 
vider will stop the user authentication procedure (step 
564). 

[0152] At step 565, the computer FS interrogates a 
remote computer CRL disposing of the list of certificates 50 
revoked by the certification authority CA, said authority 
being identified through the digital certificate CD aE of 
the electronic identity card 4 (in case, the computer CRL 
can also coincide with the computer of the certification 
authority CA). Since the computer CRL guarantees the 55 
validity of the certificate, it verifies if the latter is valid. 
[0153] Only in case of positive outcome (step 567), 
the user authentication has turned out well and the serv- 
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ice provider will begin offering services to the user, since 
the service provider has unequivocally identified the 
owner of the SIM 6 contained in the mobile phone 10. 
Otherwise (step 566) the service provider will stop the 
user authentication procedure. 

Example 6 

[0154] It will be now described a sixth method for au- 
thenticating the user of an electronic identity card 4 by 
means of a SIM 6 of the type suitable to be used in a 
mobile phone in which an "hashing" algorithm is not 
used. 

[01 55] In fact, as it is known, the advantage of storing 
strings, to which an "hashing" algorithm has been ap- 
plied, consists in the fact that the length of said strings, 
typically of 16 or 20 bytes, is at least of two orders of 
magnitude lower than the length of a digital certificate 
that is typically of 4 kilobytes. 

[0156] This fact is extremely important especially for 
the authentication methods in which the strings are 
stored in the SIM 6 and in the chip 1 2, that do not dispose 
of a so high memory capacity as the memories of the 
computers FS or TP. 

[01 57] With reference to this sixth example, during the 
preparation stage of said SIM 6, the electronic identity 
card 4 and the SIM 6 are respectively inserted into the 
slots 2,3 of the device 1 . 

[01 58] With reference to the Figure 1 3, at step 601 the 
device 1 requests and obtains from the SIM 6 a unique 
string ID S | M , that is generally the serial number of the 
SIM. In this same step, the device 1 requests and ob- 
tains from the electronic identity card 4 the digital certif- 
icate CD CIE . 

[0159] At step 603 the device 1 concatenates the dig- 
ital certificate CD CIE with the unique string ID slM , there- 
by obtaining a string CD CIESIM = CD C)E # ID S , M . 
[0160] At step 605 the electronic identity card 4 uses 
the private key PrK CIE for performing an asymmetric 
cryptographic operation on the string CD CIESIM obtained 
at step 603, thereby obtaining a string CD' CIESjM = 
cd ciesim ® PrK ciE- 

[0161] At step 607 the string CD' C , ESIM and the digital 
certificate CD C)E containing the public key PbK C)E of the 
electronic identity card 4 are stored on the SIM 6. In this 
way, the electronic identity card 4 is bound univocally to 
the SIM 6 of a mobile phone 1 0. 

[0162] Then the SIM card 6 can be taken out from the 
device 1 and be inserted into the mobile phone 10 for 
being used in the authentication procedure with a serv- 
ice provider, for instance a bank, the public administra- 
tion or a shop. 

[0163] With reference to the Figures 2a and 14 it will 
be now described the authentication procedure accord- 
ing to this sixth embodiment of the invention. 
[0164] By making a phone call to a service provider, 
a mobile phone 10 containing the SIM 6 is put into com- 
munication with a computer FS of a service provider. 
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[01 65] During the use stage of said second smart card 
6, at step 651 the computer FS of the service provider 
requests and obtains from the SIM 6, via the mobile 
phone 10, the string CD' CIESIM , the digital certificate 
CD CIE , and the unique string ID SIM of the SIM 6. 
[01 66] At step 653 the computer FS of the service pro- 
vider concatenates the digital certificate CD CIE with the 
string ID S , M , thereby obtaining the string CD* CIES | M = 
CD C)E # ID SIM . 

[01 67] At step 655 the computer FS of the service pro- 
vider will perform an asymmetric cryptographic opera- 
tion of the string CD' C , ES , M with the public key PbK C)E , 
present on the digital certificate CD CIE , thereby obtain- 
ing the string CD CIES | M = CD' CIESIM ® PbK C)E . 
[0168] At step 657 the computer FS compares the 
string CD CjESIM with the string CD* CIESIM (CD CIESIM = 



CD' 



CIESIM 



[0169] In case the string CD aESIM does not match 
with the string CD* CIESIM , the computer FS of the service 
provider will stop the user authentication procedure 
(step 658). 

[0170] At step 659, the computer FS interrogates a 
remote computer CRL disposing of the list of certificates 
revoked by the certification authority CA, said authority 
being identified through the digital certificate CD C)E of 
the electronic identity card 4 (in case, the computer CRL 
can also coincide with the computer of the certification 
authority CA). Since the computer CRL guarantees the 
validity of the certificate, it verifies if the latter is valid. 
[0171] Only in case of positive outcome (step 661), 
the user authentication has turned out well and the serv- 
ice provider will begin offering services to the user, since 
the service provider has unequivocally identified the 
owner of the SIM 6 contained in the mobile phone 10. 
Otherwise (step 660) the service provider will stop the 
user authentication procedure. 

Example 7 

[0172] It will be now described a seventh embodiment 
of the invention wherein the unique string ID SIM of the 
SIM 6 is used. 

[0173] During the preparation stage of said SIM 6, the 
electronic identity card 4 and the SIM 6 are respectively 
inserted into the respective slots 2,3 of the device 1 . 
[0174] With reference to the Figure 15, at step 701 the 
SIM 6 or, as an alternative, the device 1 or the electronic 
identity card 4 or the chip 12 of the mobile phone 10, 
generate a public key PbK S)M and a corresponding pri- 
vate key PrK SIM . The public key PbK SIM and the corre- 
sponding private key PrK s , M are in any case stored on 
the SIM 6. Obviously, the private key PrK SIM is stored 
on the SIM 6, according to known techniques, thereby 
guaranteeing the inaccessibility from outside. 
[0175] At step 703 the device 1 requests and obtains 
from the SIM 6 a unique string ID SIM that is generally 
the serial number of the SIM, univocally assigned by the 
manufacturer of the SIM itself. In this same step, the 



device 1 requests and obtains the digital certificate 
CD CIE from the electronic identity card 4. 
[01 76] At step 705 the device 1 concatenates the dig- 
ital certificate CD C)E with the unique string ID S | M , there- 

5 by obtaining a string CD CIESIM = CD CIE#tDSIM . 

[01 77] At step 707 the device 1 or the electronic iden- 
tity card 4 performs a cryptographic operation by means 
of a "hashing" algorithm of the string CD CIES | M , thereby 
obtaining the string HCD C | ESlM =H(CD CIESIM ). 

10 [01 78] At step 709 the SIM 6 performs an asymmetric 
cryptographic operation of the string HCD aESIM with the 
private key PrK SIM , thereby obtaining the string 

HCD'c^sim = hcd ciesim ® PrK SIM- 

[0179] At step 711 the electronic identity card 4 per- 
15 forms an asymmetric cryptographic operation of the 

string HCD* C | ES | M with the private key PrK CIE , thereby 

obtaining the string HCD" CIESIM = HCD' CIESIM <8> PrK CfE . 

[0180] Finally, at step 71 3 the digital certificate CD clE 

of the electronic identity card 4 and the string 
20 HCD" C , ES | M are stored on the SIM 6 (step 713). In this 

way, the electronic identity card 4 is univocally bound to 

the SIM 6. 

[0181] Then the SIM card 6 can be taken out from the 
device 1 and be inserted into a mobile phone 10 for be- 
25 ing used in the authentication procedure with a service 
provider, for instance a bank, the public administration 
or a shop. 

[0182] With reference to the Figures 2b and 1 6, it will 
be now described the authentication procedure accord- 
30 ing to this embodiment of the invention. 

[0183] By making a phone call to a service provider, 
the mobile phone 10 containing the SIM 6 is put into 
communication with a computer FS of a service provid- 
er. 

35 [0184] During the use stage of said SIM 6, at step 751 
the computer FS of the service provider requests to the 
SIM 6 either the public key PbK SIM or the digital certifi- 
cate CD CIE and the identification number ID SIM of the 
SIM 6. In reply, it obtains respectively PbK* s , M , CD* CIE 

40 e ID* SIM . It should be noted that it could happen that 
PbK s , M , CD clE and ID SIM do not match respectively with 
PbK *siM' cd *cie e ,d *sim due to transmission errors or 
deliberate alterations. 

[0185] At step 753 the computer FS, in possession of 
45 the public key PbK CA of the certification authority CA 
identified through the digital certificate CD* CIE of the 
electronic identity card 4 and guaranteeing the certifi- 
cate itself, verifies the validity of the signature of the cer- 
tificate body by the CA itself. 
so [0186] In addition, the computer FS verifies that the 
digital certificate CD* CIE has not expired. Finally, the 
computer FS interrogates a remote computer CRL, dis- 
posing of the list of the certificates revoked by the cer- 
tification authority CA (in case, the computer CRL can 
55 also coincide with the computer of the certification au- 
thority CA). 

[01 87] Since the computer CRL guarantees the valid- 
ity of the certificate, it will verify that this latter has not 
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been revoked. 

[0188] Only in case of positive outcome of the three 
checks, the computer FS will proceed with step 755; oth- 
erwise (step 754) the service provider will stop the user 
authentication procedure. 

[01 89] At step 755 the computer FS considers the cer- 
tificate CD* C | E as authentic (and therefore matching with 
CD CIE ) and valid. 

[0190] At step 757 the computer FS generates a ran- 
dom number CH, creates from said number CH, by 
means of an asymmetric cryptographic operation with 
the public key PbK* SIM , a string CH' = CH <S> PbK* S(M 
and sends said string CH' to the SIM 6 of the mobile 
phone 10 that receives it as CH**. 
[0191] At step 759 the SIM 6 deciphers the string CH'* 
with the private key PrK s , M , thereby obtaining the 
number CH* = CH'* <8> PrK SIM . 

[0192] At step 761 the SIM 6 expands, by means of 
an expansion algorithm E, said number CH*, thereby 
obtaining a string S of length L s , equal to the length 
Lhcd-ciesim of tne strin 9 hcd "ciesim (S=E(CH*), so that 
L s 55 l hcd b ciesim)- 

[0193] At step 763 a string HCD" CIES | M XOR = 
HCD" clES | M ® S obtained performing a logic operation 
XOR between the string HCD" C | ES | M and the string S is 
generated by the SIM 6. The string HCD" CIESIM XOR is 
successively sent to the computer FS that receives it as 
HCD"* CJES | M _ XOR . 

[0194] At step 765 the computer FS expands by 
means of an expansion algorithm E the random number 
CH, thereby obtaining a string T of length L T equal to 
the length L HCD -. CjESIM _ XOR of the string 
HCD"* CIESIMXOR (T-E(CH), so that L T = 



-HCD-CIESIM. 



_xor)- 



[0195] At step 767 the computer FS obtains the string 
hcd "*ciesim = hcd "*ciesim_xor © T by performing the 
logic operation XOR between the string 
HCD"* CIESlM XOR and the string T. 
[0196] At step 769 the computer FS deciphers the 
string HCD"* CIESIM with the public key PbK CIE , present 
on the digital certificate CD CE) thereby obtaining 
HCD** CIES | M = HCD"* C | ESIM 0 PbK CIE . 
[0197] At step 771 the computer FS deciphers the 
string HCD'* C | ES | M with the public key PbK* s , M , thereby 
obtaining the string HCD* CIES | M = HCD'* C | ESIM ® 
PbK* SIM . 

[0198] At step 773 the computer FS concatenates the 
digital certificate CD C)E with the string ID* S)M , thereby 
obtaining the string CD + CIES | M = CD C , E # ID* SIM . 
[0199] At step 775 it obtains the string HCD + CIESIM = 
H (CD+ CIESIM ) by means of an "hashing" algorithm on the 
string CD- CIESIM . 

[0200] At step 777 the computer FS compares the 
string HCD* CIESIM with the string HCD+ clESIM 
(HCD* C!ESIM = HCD+ CIESIM ?). In case the string 
HCD* C | ESlM does not match with the string HCD + C | ESIM , 
the service provider will stop the user authentication pro- 
cedure (step 778). 



[0201] Only in case of positive outcome (step 779), 
the user authentication has turned out well and the serv- 
ice provider will begin offering services to the user, since 
the service provider has unequivocally identified the 

5 owner of the SIM 6 contained in the mobile phone 10. 
[0202] Although in all the authentication methods de- 
scribed the digital certificate of the electronic identity 
card is used as a starting point, nonetheless it is also 
possible to use whatever string, provided that it contains 

10 the public key of the electronic identity card. 

[0203] Although in all the authentication methods de- 
scribed the electronic identity card is univocally bound 
to a smart card to be used in a mobile phone, it is also 
possible to bind univocally the electronic identity card to 

15 whatever device for storing data, like for instance a mag- 
netic or optical disk, a microprocessor and so on. 
[0204] As a consequence, it appears clear that the de- 
scribed methods are susceptible of being applied to 
whatever communication apparatus, also different from 

20 the mobile phone, provided that it is able to read data 
contained in the device 6 for storing data and to com- 
municate them to the exterior of the apparatus itself ei- 
ther via radio waves or through electric connections. 
[0205] It is clear that what has been described is given 

25 as a not limiting example and that changes and modifi- 
cations are possible without departing from the field of 
protection of the invention. 



30 Claims 



User authentication method performed by a com- 
puter (FS) by means of a data storing device com- 
prising the steps of: 

arranging a smart card (4) wherein a first 
private key (PrK CIE ) and a digital certificate 
(CD CIE ) containing the first public key (PbK^) 
corresponding to said first private key (PrKc^) 
are stored; 

arranging a device (6) for storing data; 
obtaining an identifying string (ID SIM ) of said 
device (6) for storing data; 
arranging a first coding method using said first 
private key (PrK C)E ) and a corresponding first 
decoding method using said first public key 
(PbK C)E ) corresponding to said first private key 
(PrK clE ); 

arranging a second coding method using said 
identifying string (ID SIM ); 
applying in succession said second coding 
method and said first coding method to a first 
string (CD CIE ) containing said first public key 
(PbK C)E ), in order to obtain a second string 

( hcd 'ciesim; hcd "ciesim); 
storing said first string (CD C | E ), said second 
string (HCD' CIES | M ;HCD" CIESIM ) and said iden- 
tifying string (ID slM ), in a memory (8;14;11 ) ac- 
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cessible to said computer (FS); 
putting said device (6) for storing data into com- 
munication with said computer (FS); 
applying said second coding method to said 
first string (CD CjE ) in order to obtain a third 5 
string (HCD* CIESIM ); 

applying said first decoding method to said sec- 
ond string (HCD' CIES(M ;HCD M ctES , M ), inorderto 
obtain a fourth string (HCD C | ESIM ;HCD + CIESIM ); 
comparing said third string (HCD* CIESIM ) with 10 
said fourth string (HCD CIESIM ;HCD+ CIES | M ) 
and, in case of identity, informing the computer 
(FS) that said device (6) for storing data has 
been necessarily obtained from said smart card 
(4). 15 

2. Authentication method according to claim 1 , where- 
in: 

said second coding method consists in a first 20 
operation of concatenation of said first string 
(CD CIE ) with said identifying string (ID SIM ); 
said first coding method consists in a second 
asymmetric cryptographic operation of the re- 
sult of said first operation (HCD C!ESIM ) with said 25 
first private key (PrK C)E ); and 
said first decoding method consists in a third 
asymmetric cryptographic operation of said 
second string (HCD' CIESIM ) with said first public 
key (PbK CIE ). 30 

3. Authentication method according to claim 2, where- 
in an "hashing" algorithm is applied to the result of 
said first operation (CD C | ES | M ,CD* CIESIM ) and to the 
result of said third operation (CD CIESIM ). 35 

4. Authentication method according to claim 2 or 3, 
wherein said second operation is performed by said 
smart card (4) and said third operation is performed 

by said computer (FS). 40 



string (HCD' clESlM ); 

performing a third asymmetric crypto- 
graphic operation of said fifth string 
(HCD* C | ESIM ) with said second public key 
(PbK SIM ), in order to obtain a sixth string 
(H p CD" clESIM ); 

performing a fourth asymmetric crypto- 
graphic operation of said sixth string 
(H P CD" C)ESIM ) with said second private 
key (PrK s , M ), in order to obtain a seventh 
string (HCD' CIESIM ); 

performing a fifth asymmetric cryptograph- 
ic operation of said seventh string 
(HCD' C | ES | M ) with said second private key 
(PrK S | M ), in order to obtain said second 
string (HCD" CIESIM ); 

and said first decoding method consists in the 
steps of: 

performing a sixth asymmetric crypto- 
graphic operation of said second string 
(HCD" C(ESIM ) with said second public key 
(PbK SIM ), in order to obtain a ninth string 
(HCD' C | ESIM ); 

performing a seventh asymmetric cryptog- 
raphy operation of said ninth string 
(HCD' C(ES | M ) with said first public key (Pb- 
K CIE ), in order to obtain said fourth string 
(HCD C | ESIM ). 

7. Authentication method according to claim 6, where- 
in said second operation is performed by said smart 
card (4), said fourth and fifth operations are per- 
formed by a microprocessor (12) of said apparatus 
(1 0), and said sixth and seventh operations are per- 
formed by said computer (FS). 

8. Authentication method according to claim 5, where- 
in: 



5. Authentication method according to claim 1 , where- 
in said first coding method and said first decoding 
method provide for the use of a second private key 
(PrK SIM ) and of a second public key (PbK SIM ). 45 



said second coding method consists in a first 
operation of concatenation of said first string 
(CD CIE ) with said identifying string (ID S)M ); 
said first coding method consists in the steps of: 



6. Authentication method according to claim 5, 
wherein : 

said second coding method consists in a first 50 
operation of concatenation of said first string 
(CD CIE ) with said first identifying string (ID SIM ); 
said first coding method consists in the steps of: 

- performing a second asymmetric crypto- 55 
graphic operation of the result of said first 
operation (HCD CIESIM ) with said first pri- 
vate key (PrK CIE ), in order to obtain a fifth 



performing a second asymmetric crypto- 
graphic operation of the result of said first 
operation (HCD C , ES , M ) with said first pri- 
vate key (PrK CIE ), in order to obtain a fifth 
string (HCD' C1ESIM ); 

performing a third asymmetric crypto- 
graphic operation of said fifth string 
(HCD* CIESIM ) with said second private key 
(PrK SIM ), in order to obtain said second 
string (HCD" CIESIM ); 

and said first decoding method consists in the 
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steps of: 

performing a fourth asymmetric crypto- 
graphic operation of said second string 
(HCD" C | ESIM ) with said second public key 5 
(PbK SIM ), in order to obtain a seventh 
string (HCD' C | ESIM ); 

performing a fifth asymmetric cryptograph- 
ic operation of said seventh string 
(HCD' C , ES!M ) with said first public key (Pb- 10 
k cie)' in order to obtain said fourth string 
(HCD CIESIM ). 

9. Authentication method according to claim 8, where- 
in said second operation is performed by said smart '5 
card (4), said third operation is performed by a sec- 
ond computer (TP) and said fourth and fifth opera- 
tions are performed by said computer (FS). 

10. Authentication method according to any of the 20 
claims 6 to 9, wherein an "hashing" algorithm is ap- 
plied to the result of said first operation (CD C , ES , M ). 
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applying to said third string (HCDci E ;HCD' C | E ) 
said first/second decoding method, in order to 
obtain a fourth string (HCD* CIE ); 
comparing said first string (HCD C | E ) with said 
fourth string (HCD* C | E ) and, in case of identity, 
informing the computer (FS) that said device (6) 
for storing data has been necessarily obtained 
by said smart card (4). 

12. Authentication method according to claim 11, 
wherein: 

said second coding method consists in a first 
asymmetric cryptographic operation of said first 
string (CD CIE ) with said second public key (Pb- 
k sim); 

said first coding method consists in a second 
asymmetric cryptographic operation of the re- 
sult of said first operation (HCD' C i E ) with said 
first private key (PrKd E ); 
said first decoding method consists in the steps 
of: 



11. User authentication method performed by a com- 
puter (FS) by means of a device for storing data 25 
comprising the steps of: 

arranging a smart card (4) wherein a first 
private key (PrK CjE ) and a digital certificate 
(CD CIE ) containing the first public key (PbK c , E ) 30 
corresponding to said first private key (PrK clE ) 
are stored; 

arranging a device (6) for storing data; 
obtaining an identifying string (ID S | M ; PrK S!M , 
PbK SIM ) of said device (6) for storing data; 35 
arranging two coding methods and two 
decoding methods, said first coding method 
providing for the use of said first private key 
(PrK C)E ) and said first decoding method 
providing for the use of said public key (PbK CjE ) 40 
corresponding to said private key (PrK C | E ), said 
second coding method and said second 
decoding method providing for the use of said 
identifying string (ID SIM ; PrK SIM , PbK SfM ); 
applying in succession said first/second coding 45 
method and said second/first coding method to 
a first string (CD clE ) containing said public key 
(PbK CIE ), in order to obtain a second string 

(HCD" c , e ;HCD' C ie_xor); 

storing said first string (CD C | E ), said second 50 
string (HCD H clE ;HCD' C | E XOR ) and said identi- 
fying string (ID SIM ; PrK sl ^, PbK SIM ), in a mem- 
ory (13) accessible to said computer (FS); 
putting said device (6) for storing data into com- 
munication with said computer (FS); 55 
applying to said second string (HCD" clE ; 
HCD 

cie xor) sa, d second/first decoding meth- 
od, in order to obtain a third string (HCD' CIE ); 



generating a first random number (CH); 
creating from the first random number (CH) 
a fifth string (CH 1 ) by means of an asym- 
metric cryptographic operation with said 
second public key (PbK SIM ); 
performing a third asymmetric cryptogra- 
phy operation of said fifth string (CH') with 
said second private key (PrK SIM ), thereby 
obtaining a second random number (CH*); 
generating, by means of an "hashing" al- 
gorithm on said second random number 
(CH*), a sixth string (S) that is concatenat- 
ed with itself more times until its length (L s ) 
is equal to the length (L HCD « C | E ) of said sec- 
ond string (HCD" C(E ); 
generating a seventh string (HCD" c , e _ X or) 
obtained by performing a first logic opera- 
tion XOR between said second string 
(HCD" CjE ) and said sixth string (S); 
generating, by means of an "hashing" al- 
gorithm on said second random number 
(CH), an eight string (T) that is concatenat- 
ed with itself more times until its length (L T ) 
is equal to the length (L HCD - CIE XOR ) of 
said seventh string (HCD" C j E X or)J 
performing a second logic operation XOR 
between said seventh string (HCD" 
cie xor) and said eight string (T), thereby 
obtaining a string that corresponds to said 
third string (HCD' C | E ); 
performing a fourth asymmetric crypto- 
graphic operation on said third string 
(HCD' C | E ) with said first private key 
(PbK CIE ); 
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and said second coding method consists in the 
steps of: 

performing a fifth asymmetric cryptograph- 
ic operation on the result of said fourth op- 5 
eration (HCD' CIE ) with said second public 
key (PbK SIM ), thereby obtaining said fourth 
string (HCD* CIE ). 

13. Authentication method according to claim 12, 10 
wherein said storing device (6) is provided with a 
microprocessor. 

14. Authentication method according to claim 13, 
wherein said second operation is performed by said 15 
smart card (4), said third operation and said first log- 
ic operation are performed by said storing device 

(6) or by the mobile phone (10), and said fourth and 
fifth operations together with said second logic op- 
eration are performed by said computer (FS). 20 

15. Authentication method according to claim 11, 
wherein: 

said first coding method consists in performing 25 
a first asymmetric cryptographic operation of 
said first string with said first private key, in or- 
der to obtain a fifth string (HCD' CIE ); 
said second coding method consists in the 
steps of: 30 

concatenating said identifying string 
(ID S!M ) with itself until a sixth string (S) of 
length (L s ) equal to the length (L HCD . C | E ) of 
said fifth string (HCD' C)E ) is obtained; 35 
performing a first logic operation XOR be- 
tween said fifth string (HCD' C!E ) and said 
sixth string (S) for obtaining a string that 
corresponds to said second string 
(HCD' CIE _ XOR ); 40 

said second decoding method consisting in the 
steps of: 

concatenating said identifying string 45 
(ID SIM ) with itself until a seventh string (T) 
of length (L T ) equal to the length of said 
second string (L HCD . C | E XOR ) is obtained; 
performing a second logic operation XOR 
between said second string (HCD' C | E XOR ) so 
and said seventh string (T), in order to ob- 
tain an eight string (HCD' C)E ); 

said first decoding method consists in perform- 
ing a second asymmetric cryptographic opera- 55 
tion of said eight string (HCD' C | E ) with said first 
public key (PbK CIE ), in order to obtain a string 
that corresponds to said fourth string 



(HCD* CIE ). 

16. Authentication method according to claim 15, 
wherein said first operation is performed by said 
smart card (4) and said second operation together 
with said two logic operations are performed by said 
computer (FS). 

17. Authentication method according to any of the 
claims 11 to 16, wherein said first string is a string 
to which an "hashing" algorithm has been applied. 

18. Authentication method according to any of the 
claims from 1 to 4 and from 11 to 13, wherein said 
memory accessible to said computer (FS) is a mem- 
ory (8) contained in said device (6) for storing data. 

19. Authentication method according to any of the 
claims 1 ,5,6,7,10 wherein said memory accessible 
to said computer (FS) is a memory (14) contained 
in a microprocessor (1 2) of said communication ap- 
paratus (10). 

20. Authentication method according to any of the 
claims 1 ,5,8,9,10 wherein said memory accessible 
to said computer (FS) is a memory (11) contained 
in a second computer (TP). 

21. Authentication method according to any of the 
claims 11,14,15,16,17 wherein said memory acces- 
sible to said computer (FS) is a memory (13) con- 
tained in said computer itself (FS). 

22. Authentication method according to any of the pre- 
ceding claims, wherein said first string is the digital 
certificate (CD CIE ) stored in said smart card (4). 

23. Authentication method according to claim 22, 
wherein at the end of said authentication method, it 
is provided to verify the validity of said digital certif- 
icate (CD CIE ) by a remote computer (CRL) dispos- 
ing of a list of the certificates revoked by the certifi- 
cation authority (CA), said authority being identified 
through said digital certificate (CD CIE ), and only if 
said digital certificate (CD C)E ) is valid, the computer 
(FS) is informed that it is possible to provide for 
some services. 

24. Authentication method according to claim 23, 
wherein said remote computer (CRL) is the compu- 
ter of the certification authority (CA). 

25. Authentication method according to any of the pre- 
ceding claims, wherein said device (6) for storing 
data is intended to be used in a communication ap- 
paratus (10). 

26. Authentication method according to any of the pre- 



14 




EP 1 282 



ceding claims, wherein said communication appa- 
ratus (10) is a mobile phone. 

27. Authentication method according to any of the pre- 
ceding claims, wherein said device (6) for storing 5 
data is a second smart card. 

28. Device for obtaining a device (6) for storing data to 
be used in the authentication method as claimed in 

the claims from 1 to 27 starting from a smart card io 
(4) wherein a first string (CD CIE ) containing a public 
key (PbK C | E ) and a private key (PrK CIE ) corre- 
sponding to said public key are stored, said smart 
card (4) being usable for authenticating a user by 
means of a computer (FS), said device (1 ) compris- 15 
ing reading means of said smart card (4), reading/ 
writing means of said device (6) for storing data and 
data processing means, characterised in that said 
data processing means generate a second string 
(HCD , C | ES | M ;HCD M CIE ;HCD M CIESIM ; HCD' CIE _ XOR ) 20 
associated to said first string (CD C | E ), and store said 
second string (HCD'ces^jHCD-ceiHCD-ces^; 
hcd cie_xor)> together with an identifying string 
O^sim- PbK S j M , PrK SIM ) of said device (6) for storing 
data, in a memory accessible (8;11;13;14) to said 25 
computer (FS). 

29. Device according to claim 28, characterised In 
that, for obtaining said second string (HCD' CIES | M ; 
HCD"c, E ;HCD" CIESIM ; HCD' CIE _ XOR ) from said first 30 
string (CD C | E ) a first coding method using said first 
private key (PrK C)E ) and a second coding method 
using said identifying string (ID SIM ; PbK S)M , PrK S)M ) 

or vice versa are applied in succession. 

35 

30. Device according to one of the claims 28 or 29, 
characterised In that said memory accessible to 
said computer (FS) is a memory (8) contained in 
said device (6) for storing data. 

40 

31. Device according to one of the claims 28 or 29, 
characterised In that said memory accessible to 
said computer (FS) is a memory (13) contained in 
said computer (FS). 

45 

32. Device according to one of the claims 28 or 29, 
characterised In that said memory accessible to 
said computer (FS) is a memory (11) contained in 
a second computer (TP). 

50 

33. Device according to one of the claims 28 or 29, 
characterised In that said memory accessible to 
said computer (FS) is a memory (14) contained in 
a microprocessor (12). 

55 

34. Device according to one of the claims 28 to 33, 
characterised In that said first string is said digital 
certificate (CD CIE ). 




35. Device for storing data to be used in the authenti- 
cation method as claimed in the claims from 1 to 27, 
wherein are stored a first string (CD CIE ) containing 
a public key (PbK C)E ), an identifying string (ID S)M ; 

PbK siM' PrK siM) of sa ' d smart c ar d and a second 
string (HCD'cEs^iHCD-c^jHCD-cEs^iHCD' 
cie_xor) obtained by applying in succession to said 
first string (CD C)E ) two coding methods, wherein 
one of said two coding methods uses the private 
key (PrK C!E ) associated to said public key (PbK CIE ), 
and the other of said two coding methods uses said 
identifying string (ID SIM ; PbK SIM , PrK SIM ). 

36. Device for storing data according to claim 35, char- 
acterised In that said device is a smart card (6). 
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